Designing an Offshore Security Program

Even with a growingnumber of functions being outsourced to an offshore location across geographies, rarely does one comprehensive security program exist. Designing and implementing a systematic offshore security program can mitigate offshore data security concerns.
Below, as the graphic illustrates, a well-defined framework that encompasses people, policies, processes and infrastructure can help benefit both the client and the service provider.
With a clear understanding of the concerns, you're ready to tackle the issue of how to address common offshore data security issues, from ensuring security in your IT infrastructure to proper training. Here are some tasks to tackle:
Task #1: Tweak the enterprise IT architecture to improve security
Companies do not always require an overhaul of their enterprise architecture to make it security compliant. Usually, just some tweaking is needed. It begins by understanding the IT systems that control sensitive data and then securing the data and the IT systems. Here are three examples of some specific initiatives:
a. Data classification and masking: Data is classified based on its importance, and the critical data fields are masked before they are sent offshore. The data masking is usually a one-time, large effort followed by an incremental small effort. This effort helps the service providers focus and put effective controls on the important data instead of dissipating their effort on all the data.
b. Role classification: Once critical data is classified, it is important that it only be accessed by those authorized to see it. This calls for role definition and data access classification. The key step is to properly define the roles and find gaps in the IT systems where role-based data access is not working as per the security policy.
c. Define enterprise security standards: Clients have begun specifying standards related to network, desktop, and servers in order to incorporate security policies. For example, in the network area, standard policies exist around network segregation, firewalls and data encryptions to which all service providers adhere. These standards reduce the risk of breaches and provide audit trails for future analysis.

Indy Banerjee is Director at TPI, a global sourcing advisory firm. He advises Fortune 2000 clients on effective transformation of their global business operations for TPI. He can be reached at indy.banerjee@tpi.net.